Right now "git hash-object" will do some basic sanity checks of the input using the usual parser code. This series teaches it to use the fsck code instead, which should catch more things. See patch 6 for some discussion of the implications. The reason this is marked as an RFC is that at the end, compiling with SANITIZE=address will provoke a failure in t3800. The issue is that fsck_tag_standalone(), when fed a buffer/size combo, will look for a NUL at the end of the headers, which might be buffer[size]. This is usually OK for objects we've loaded from the odb, because we intentionally stick an extra NUL at the end for safety. But here index_mem() may get an arbitrary buffer. I'm not sure yet of the right path forward. It's not too hard to add an extra NUL in most cases, but one code path will mmap a file on disk. And sticking a NUL there is hard (we already went down that road trying to avoid REG_STARTEND for grep, and there wasn't a good solution). The other option is having the fsck code avoid looking past the size it was given. I think the intent is that this should work, from commits like 4d0d89755e (Make sure fsck_commit_buffer() does not run out of the buffer, 2014-09-11). We do use skip_prefix() and parse_oid_hex(), which won't respect the size, but I think[1] that's OK because we'll have parsed up to the end-of-header beforehand (and those functions would never match past there). Which would mean that 9a1a3a4d4c (mktag: allow omitting the header/body \n separator, 2021-01-05) and acf9de4c94 (mktag: use fsck instead of custom verify_tag(), 2021-01-05) were buggy, and we can just fix them. [1] But I said "I think" above because it can get pretty subtle. There's some more discussion in this thread: https://lore.kernel.org/git/20150625155128.C3E9738005C@xxxxxxxxxxxxxx/ but I haven't yet convinced myself it's safe. This is exactly the kind of analysis I wish I had the power to nerd-snipe René into. Anyway, here are the patches in the meantime. I do think this is a good direction overall, modulo addressing the NUL-terminator question. [1/6]: t1007: modernize malformed object tests [2/6]: t1006: stop using 0-padded timestamps [3/6]: t7030: stop using invalid tag name [4/6]: t: use hash-object --literally when created malformed objects [5/6]: fsck: provide a function to fsck buffer without object struct [6/6]: hash-object: use fsck for object checks fsck.c | 29 ++++++++++------- fsck.h | 8 +++++ object-file.c | 55 +++++++++++++------------------- t/t1006-cat-file.sh | 6 ++-- t/t1007-hash-object.sh | 29 +++++++++++------ t/t1450-fsck.sh | 28 ++++++++-------- t/t4054-diff-bogus-tree.sh | 2 +- t/t4058-diff-duplicates.sh | 2 +- t/t4212-log-corrupt.sh | 4 +-- t/t5302-pack-index.sh | 2 +- t/t5504-fetch-receive-strict.sh | 2 +- t/t5702-protocol-v2.sh | 2 +- t/t6300-for-each-ref.sh | 2 +- t/t7030-verify-tag.sh | 2 +- t/t7031-verify-tag-signed-ssh.sh | 2 +- t/t7509-commit-authorship.sh | 2 +- t/t7510-signed-commit.sh | 2 +- t/t7528-signed-commit-ssh.sh | 2 +- t/t8003-blame-corner-cases.sh | 2 +- t/t9350-fast-export.sh | 2 +- 20 files changed, 101 insertions(+), 84 deletions(-) -Peff